R7000 and IPv6

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3 ... 31, 32, 33 ... 35, 36, 37  Next
Author Message
fggs
DD-WRT Guru


Joined: 28 Jan 2008
Posts: 1741

PostPosted: Sat Nov 26, 2016 14:46    Post subject: Reply with quote
I don't mean to hijack this thread, but I see there is a lot of IPv6 concepts here that I didn't find anywhere on this forum or the wiki.

I'm very new to the whole IPv6 world and I'm trying to setup mine.

What I know so far is that if I plug my modem directly to my computer I get IPv6 and IPv4, but I don't know the prefix length, so my first question is:

1- How to discover prefix length?

I'm running build "BS 30880 big" on my RT-N16, if I select "DHCPv6 with Prefix Delegation" in "Setup->IPv6" I do get an IPv6 like this one: 2804:7f1:2080:4536:200:ff:fe00:0 but in ipv6-test.com I get "Not supported".

I'm using PPPoE.

2- I would like to leave my LAN on IPv4, do I need IPv6 on LAN to make IPv6 work on the tests?

Let me know if I can provide any other useful information, thanks!
Sponsor
SmallvilleLA
DD-WRT Novice


Joined: 03 Jun 2016
Posts: 20

PostPosted: Sat Nov 26, 2016 23:47    Post subject: Reply with quote
Kong 30880 Netgear R7000
ISP is Time Warner

Issues I had: 1) Modem provided by TWC didn't support IPv6 2) TWC DNS don't support IPv6 3) TWC Tech Supports gave conflicting info

Working now without my router after swapping the modem and using Google DNS 2001:4860:4860::8888,2001:4860:4860::8844
Switch the IPv4 also to 8.8.8.8, 8.8.4.4

Now I'll put the router back in the loop.
You need both running (at least initially) to passed the IPv6 test without a warning about not having IPv4. I think the custom thing "Halfbit" is doing might have the intent of keeping the channels separate?
Google has a NAT64 gateway thing that I believe is intended for IPv6 only users
The prefix is still somewhat unclear although one of the TWC techs finally read something about 56 or 64 working, so...
HalfBit
DD-WRT Guru


Joined: 04 Sep 2009
Posts: 776
Location: AR, USA

PostPosted: Mon Nov 28, 2016 3:52    Post subject: Reply with quote
SmallvilleLA wrote:
Kong 30880 Netgear R7000
ISP is Time Warner

Issues I had: 1) Modem provided by TWC didn't support IPv6 2) TWC DNS don't support IPv6 3) TWC Tech Supports gave conflicting info

Working now without my router after swapping the modem and using Google DNS 2001:4860:4860::8888,2001:4860:4860::8844
Switch the IPv4 also to 8.8.8.8, 8.8.4.4

Now I'll put the router back in the loop.
You need both running (at least initially) to passed the IPv6 test without a warning about not having IPv4. I think the custom thing "Halfbit" is doing might have the intent of keeping the channels separate?
Google has a NAT64 gateway thing that I believe is intended for IPv6 only users
The prefix is still somewhat unclear although one of the TWC techs finally read something about 56 or 64 working, so...

If you're referring to my configuration and the references to br0 and br1, that is to separate networks. Bridge br0 is my network, br1 is my guest network. Both have SSIDs on the 2.4G and 5G bands, and the router's switch is still tied to br0 which is default.

_________________
R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x
https://pi-hole.net/
https://github.com/DNSCrypt/dnscrypt-proxy
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Fri May 26, 2017 21:41    Post subject: Reply with quote
Where to start... My ISP & VPN providers don’t support IPv6 as of yet and I haven’t run to any limitation with IPv4 either. But IPv6 is the future and I wanted to get access to it. The past couple of weeks was a steep learning curve with a lot of reading with trial and error to get IPv6 working on my network the way I wanted it and it works great. Many thanks to JAMESMTL and many others for posting examples but all the information was all over the place and I just want to post my working configuration that may help others. This configuration is for FOUR Bridges br0,br1,br2 &br3 with assigned interfaces, modify it to your liking. I don’t understand all of it but it works.

I selected HE Tunnel Broker for my IPv6 services.

I didn’t want to experiment with my working two R7000s configuration and setup a dedicated R7000 (now a E2000) to experiment with IPv6.

This configuration will give 4 networks access to IPv6 and the Builds used on the R7000 is Kong’s 31870.

You need a registered account with HE Tunnel Broker at https://tunnelbroker.net/ Once you are registered you are automaticly given a /64 Prefix which good for one interface but in your account tunnel details you can assign yourself /48 Prefix to give many interfaces IPv6 access.

Routed /64: 2001:470:AAAA:BBBB::/64
Router /48: 2001:470:CCCC::/48

When using the Router /48 Prefix you basically have 65,355 “/64 Prefixes”, 2001:470:CCCC:DDDD::/64 where DDDD can be from 1 to FFFF.

For Example for my 4 networks I used the following...

br0 uses 2001:470:CCCC:1::/64
br1 uses 2001:470:CCCC:2::/64
br2 uses 2001:470:CCCC:3::/64
br3 uses 2001:470:CCCC:4::/64

For the initial configuration on the R7000 I enabled IPv6 and set IPv6 Type to 6in4 Static Tunnel. I followed the GUI Guide at https://www.dd-wrt.com/wiki/index.php/IPv6,_6in4_tunnel_-_GUI_only view the pic called “Setting ddwrt GUI” with TWO changes...

1) In the Assigned / Routed Prefix in the DD-WRT IPv6 GUI it assigns your br0 IPv6 address space so use 2001:470:CCCC:1:: and leave the Prefix Length at 64.

2) Disable the Radvd, I will be using DNSMasq in this configuration.

Now in the “Additional DNSMasq Options” to configure IPv6 settings. I did remark out quiet-dhcp6 to see the messages in the syslog...

Code:

all-servers
strict-order
enable-ra
interface=br0
ra-param=br0,60,1800
dhcp-range=br0,::1000,::FFFF,constructor:br0,ra-stateless,ra-names,4h
dhcp-option=br0,option6:dns-server,[::1]
dhcp-option=br0,option6:ntp-server,[2001:470:0:50::2]
interface=br1
ra-param=br1,60,1800
dhcp-range=br1,::1000,::FFFF,constructor:br1,ra-stateless,ra-names,4h
dhcp-option=br1,option6:dns-server,[::1]
dhcp-option=br1,option6:ntp-server,[2001:470:0:50::2]
interface=br2
ra-param=br2,60,1800
dhcp-range=br2,::1000,::FFFF,constructor:br2,ra-stateless,ra-names,4h
dhcp-option=br2,option6:dns-server,[::1]
dhcp-option=br2,option6:ntp-server,[2001:470:0:50::2]
interface=br3
ra-param=br3,60,1800
dhcp-range=br3,::1000,::FFFF,constructor:br3,ra-stateless,ra-names,4h
dhcp-option=br3,option6:dns-server,[::1]
dhcp-option=br3,option6:ntp-server,[2001:470:0:50::2]
quiet-ra
quiet-dhcp
#quiet-dhcp6

The Firewall script I used, just change to use your assigned /48 Prefix ...

Code:

# HE-IPv6 Firewall Script
#
# IPv6 GUI only sets up br0, Load missing brX routes
ip addr add 2001:470:CCCC:2::/64 dev br1
ip addr add 2001:470:CCCC:3::/64 dev br2
ip addr add 2001:470:CCCC:4::/64 dev br3
#
# Use OpenDNS IPv6 DNS Servers
echo "nameserver 2620:0:ccc::2" > /tmp/resolv.dnsmasq
echo "nameserver 2620:0:ccd::2" >> /tmp/resolv.dnsmasq
#
# Respond to HE Tunnel Server PING
iptables -I INPUT 2 -p icmp -s 66.220.2.74 -j ACCEPT
#
# More IPv6 Configuration
ip6tables -I INPUT 5 -i br3 -j ACCEPT
ip6tables -I INPUT 5 -i br2 -j ACCEPT
ip6tables -I INPUT 5 -i br1 -j ACCEPT
ip6tables -I INPUT 2 -i br+ -p udp --dport 53 -j ACCEPT
ip6tables -I INPUT 2 -i br+ -p udp --dport 547 -j ACCEPT

Having a dedicated R7000 for only IPv6 services was not CPU intensive at all. So I switched it for a Linksys E2000 with Build K3.X BS 31899 with the same configuration. The dedicated E2000 is working fine to service IPv6 for all 4 networks.

UPDATE...

I was doing some IPv6 Tunnel speed tests and the E2000 was very limited even overclocked to 400Mhz it would max out at 26Mbit/s. I reinstated the 3rd R7000 in the network for IPv6 Tunnel services that maxes out my 150Mbit/s ISP with only about 50% cpu usage.

UPDATE...

Changes JAMESMTL recommended, tested and working. TIA!!

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2


Last edited by mac913 on Sat May 27, 2017 15:07; edited 2 times in total
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Sat May 27, 2017 3:41    Post subject: Reply with quote
@mac913

The configuration of dhcp6c for a 6in4 tunnel is irrelevant and honestly dhcp6c options in the GUI should be disabled when 6in4 is selected.

dhcp6c is a dhcpv6 / dhcpv6-pd client whose sole purpose is to obtain an ipv6 address and / or prefixes from an upstream dhcpv6(-pd) server and assign addresses to local interfaces.

As you don't have any upstream dhcpv6 providers, running dhp6c will needlessly send solicits which will never be replied to.

on a side note, pushing external ipv6 dns servers ex. dhcp-option=br1,option6:dns-server,[2620:0:ccc::2],[2620:0:ccd::2] defeats running a caching dns forwarder on those interfaces. ideally dnsmasq would forward all ipv4 / ipv6 dns upstream and cache the results locally for best performance.
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Sat May 27, 2017 10:18    Post subject: Reply with quote
JAMESMTL I made the recommended changes to my original post above.

TIA!!

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Wed May 31, 2017 18:35    Post subject: Reply with quote
Is their a Firewall Rule that will direct all DNS IPv6 inquires to the router and nameservers, so users don't use their preferred DNS IPv6 Servers on my newtork.

With IPv4 IPTABLES I would use...

iptables -t nat -I PREROUTING -p udp -s 192.168.1.0/24 --dport 53 -j DNAT --to 192.168.1.1
iptables -t nat -I PREROUTING -p tcp -s 192.168.1.0/24 --dport 53 -j DNAT --to 192.168.1.1

I can't seem to find anything for IPv6 IP6TABLES to do the same thing.

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Wed May 31, 2017 19:43    Post subject: Reply with quote
you could use the same logic as ipv4 and use -j DNAT or REDIRECT depending on your desired outcome. On my linux boxes I use the following which redirects only if the origin prefix is part of a predefined ipset

ip6tables -t nat -A PREROUTING -p udp --dport 53 -m set --match-set DNS-LOCAL-V6 src -j REDIRECT --to-port 53

the problem your going to run into with ddwrt is that I doubt the required modules are loaded or even included in the distro. They may be available via kong's repo.

Looking quickly at my setup, I believe the required modules are ip6table_nat + nf_nat_ipv6

unfortunately I dont have access to any of my ddwrt routers to look into it at the moment nor will i have the time for a while to even play around with it but at least you have a starting point for your research.
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Thu Jun 01, 2017 1:01    Post subject: Reply with quote
So far I enabled USB Storage and configured a USB stick to run bootstrap and installed 2 packages....

root@HE-IPv6:~# opkg install ip6tables-mod-nat
Installing ip6tables-mod-nat (1.4.21-2) to root...
Downloading http://www.desipro.de/musl/base/ip6tables-mod-nat_1.4.21-2_bcm53xx.ipk.
Installing libc (1.1.14-1) to root...
Downloading http://www.desipro.de/musl/base/libc_1.1.14-1_bcm53xx.ipk.
Installing libgcc (5.3.0-1) to root...
Downloading http://www.desipro.de/musl/base/libgcc_5.3.0-1_bcm53xx.ipk.
Installing ip6tables (1.4.21-2) to root...
Downloading http://www.desipro.de/musl/base/ip6tables_1.4.21-2_bcm53xx.ipk.
Installing iptables (1.4.21-2) to root...
Downloading http://www.desipro.de/musl/base/iptables_1.4.21-2_bcm53xx.ipk.
Installing libip4tc (1.4.21-2) to root...
Downloading http://www.desipro.de/musl/base/libip4tc_1.4.21-2_bcm53xx.ipk.
Installing libxtables (1.4.21-2) to root...
Downloading http://www.desipro.de/musl/base/libxtables_1.4.21-2_bcm53xx.ipk.
Installing libip6tc (1.4.21-2) to root...
Downloading http://www.desipro.de/musl/base/libip6tc_1.4.21-2_bcm53xx.ipk.
Configuring libgcc.
Configuring libc.
Configuring libxtables.
Configuring libip4tc.
Configuring libip6tc.
Configuring iptables.
Configuring ip6tables.
Configuring ip6tables-mod-nat.

root@HE-IPv6:~# insmod nf_nat_ipv6

Kernal version of ip6tables is v1.3.7
OPKG version of /opt/usr/sbin/ip6tables is v1.4.21

I tried running these commands without any luck.

root@HE-IPv6:~# ip6tables -t nat -A PREROUTING -i br1 -p tcp --dport 53 -j DNAT --destination ::1
ip6tables v1.3.7: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

root@HE-IPv6:~# /opt/usr/sbin/ip6tables -t nat -A PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to-destination ::1
ip6tables v1.4.21: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2


Last edited by mac913 on Thu Jun 01, 2017 4:50; edited 1 time in total
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Thu Jun 01, 2017 1:08    Post subject: Reply with quote
simply downloading the modules doesn't load them.

lsmod -show loaded modules
insmod - to load module
rmmod - remove module

**edit to find your modules

find / -name *.ko | grep nat
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Thu Jun 01, 2017 5:07    Post subject: Reply with quote
my bad i guess i was a touch quick with my earlier response as on second look i see you loaded nf_nat_ipv6.

your still missing the ip6table_nat module
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Thu Jun 01, 2017 5:25    Post subject: Reply with quote
I installed ip6tables-mod-nat....

root@HE-IPv6:~# opkg install ip6tables-mod-nat
Installing ip6tables-mod-nat (1.4.21-2) to root...
Downloading http://www.desipro.de/musl/base/ip6tables-mod-nat_1.4.21-2_bcm53xx.ipk.
Installing libc (1.1.14-1) to root...
Downloading http://www.desipro.de/musl/base/libc_1.1.14-1_bcm53xx.ipk.
Installing libgcc (5.3.0-1) to root...
Downloading http://www.desipro.de/musl/base/libgcc_5.3.0-1_bcm53xx.ipk.
Installing ip6tables (1.4.21-2) to root...
Downloading http://www.desipro.de/musl/base/ip6tables_1.4.21-2_bcm53xx.ipk.
Installing iptables (1.4.21-2) to root...
Downloading http://www.desipro.de/musl/base/iptables_1.4.21-2_bcm53xx.ipk.
Installing libip4tc (1.4.21-2) to root...
Downloading http://www.desipro.de/musl/base/libip4tc_1.4.21-2_bcm53xx.ipk.
Installing libxtables (1.4.21-2) to root...
Downloading http://www.desipro.de/musl/base/libxtables_1.4.21-2_bcm53xx.ipk.
Installing libip6tc (1.4.21-2) to root...
Downloading http://www.desipro.de/musl/base/libip6tc_1.4.21-2_bcm53xx.ipk.
Configuring libgcc.
Configuring libc.
Configuring libxtables.
Configuring libip4tc.
Configuring libip6tc.
Configuring iptables.
Configuring ip6tables.
Configuring ip6tables-mod-nat.

Here's a list modules....

root@HE-IPv6:~# find / -name *.ko | grep ip6
/lib/modules/4.4.61/ebt_ip6.ko
/lib/modules/4.4.61/ip6_tables.ko
/lib/modules/4.4.61/ip6_tunnel.ko
/lib/modules/4.4.61/ip6_udp_tunnel.ko
/lib/modules/4.4.61/ip6t_REJECT.ko
/lib/modules/4.4.61/ip6t_ah.ko
/lib/modules/4.4.61/ip6t_frag.ko
/lib/modules/4.4.61/ip6t_ipv6header.ko
/lib/modules/4.4.61/ip6t_rpfilter.ko
/lib/modules/4.4.61/ip6t_rt.ko
/lib/modules/4.4.61/ip6table_filter.ko
/lib/modules/4.4.61/ip6table_mangle.ko
/lib/modules/4.4.61/l2tp_ip6.ko
/lib/modules/4.4.61/mip6.ko
root@HE-IPv6:~# find / -name *.ko | grep nat
/lib/modules/4.4.61/ebt_dnat.ko
/lib/modules/4.4.61/ebt_snat.ko
/lib/modules/4.4.61/ebtable_nat.ko
/lib/modules/4.4.61/nf_nat_ipv6.ko
/lib/modules/4.4.61/nf_nat_pptp.ko
/lib/modules/4.4.61/nf_nat_proto_gre.ko
/lib/modules/4.4.61/nf_nat_sip.ko

Here's a list of 'ip6' opkg packages....

root@HE-IPv6:~# opkg list | grep ip6
ip6tables - 1.4.21-2 - IPv6 firewall administration tool
ip6tables-extra - 1.4.21-2 - IPv6 header matching modules
ip6tables-mod-nat - 1.4.21-2 - iptables extensions for IPv6-NAT targets.
kmod-ip6tables - 4.4.7-1 - Netfilter IPv6 firewalling support
libip6tc - 1.4.21-2 - IPv6 firewall - shared libiptc library

I'm not sure what to load or if all the modules are available to use 'iptables -t nat' command.

TIA!!

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Thu Jun 01, 2017 5:43    Post subject: Reply with quote
hmmm not sure what was installed from ip6tables-mod-nat but I only see ip6table_filter & ip6table_mangle so only those chains are available. if you browse though /opt is there a log or something that shows ip6tables-mod-nat actually installed?

Best bet would be for kong to add it directly to distro as nf_nat_ipv6 is already included in base distro

***edit sent Kong a PM, lets see what he says about adding to base distro
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Thu Jun 01, 2017 14:47    Post subject: Reply with quote
Looking into the /opt has no log or ko files....

root@HE-IPv6:~# find /opt -name *.ko
root@HE-IPv6:~# find /opt -name * | grep log
root@HE-IPv6:~# find /opt -name * | grep ip6
/opt/usr/sbin/ip6tables-save
/opt/usr/sbin/ip6tables
/opt/usr/sbin/ip6tables-restore
/opt/usr/lib/libip6tc.so.0.1.0
/opt/usr/lib/libip6tc.so
/opt/usr/lib/libip6tc.so.0
/opt/lib/opkg/info/libip6tc.list
/opt/lib/opkg/info/ip6tables.prerm
/opt/lib/opkg/info/ip6tables-mod-nat.list
/opt/lib/opkg/info/libip6tc.control
/opt/lib/opkg/info/ip6tables-mod-nat.prerm
/opt/lib/opkg/info/ip6tables.postinst
/opt/lib/opkg/info/ip6tables.list
/opt/lib/opkg/info/ip6tables-mod-nat.postinst
/opt/lib/opkg/info/ip6tables.control
/opt/lib/opkg/info/ip6tables-mod-nat.control
/opt/lib/opkg/info/libip6tc.prerm
/opt/lib/opkg/info/libip6tc.postinst

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Sat Jun 03, 2017 1:32    Post subject: Reply with quote
Since Kong's Build 31870M (K4.4.61) can't do NAT with IP6TABLES, I took a different approach...

I enabled Encrpy DNS with resolver Cisco OpenNDS over IPv6 which uses port 30.

I added without quotes "server=::1#30" to the DNSMasq Options and the following ip6tables in the firewall...

# Drop all IPv6 DNS Requests on port 53
ip6tables -I FORWARD -p tcp --dport 53 -j DROP
ip6tables -I FORWARD -p udp --dport 53 -j DROP

On 2 OSes (Windows & Ubuntu) I manually setup the IPv6 DNS to 2001:4860:4860::8888 and 2001:4860:4860::8844 in the network adapters

Checked a website that is blocked on OpenDNS but not on GOOGLE and I received an OpenDNS webpage that the site was blocked.

UPDATE (in Bold): I added 2 line of code to view the DNS Cache via CLI command...

cat /tmp/DNSCache.log

Viewing the DNSMasq cache showed me there wasn't cached DNS. By changing the DNSv6 server for all BR's from [::1] to [::] caused the DNS Caching to work.


Updated Scripts....

# -- HE IPv6 DNSMasq --
#
# Log the results of DNS queries with EXTRAs
log-queries=extra
# Best to store DNS Cache in file for viewing
log-facility=/tmp/DNSCache.log

# IPv6 DNS Crypt Resolver
server=::1#30
# Reject & Log addresses from upstream nameservers which are in the private IP ranges
stop-dns-rebind
# Increase local DNS queries
cache-size=5000
# IPv6 and RA configuration
enable-ra
# Listen to br0 with follow services
interface=br0
ra-param=br0,60,1800
dhcp-range=br0,::1000,::FFFF,constructor:br0,ra-stateless,ra-names,4h
dhcp-option=br0,option6:dns-server,[::]
dhcp-option=br0,option6:ntp-server,[2001:470:0:50::2]
# Listen to br1 with follow services
interface=br1
ra-param=br1,60,1800
dhcp-range=br1,::1000,::FFFF,constructor:br1,ra-stateless,ra-names,4h
dhcp-option=br1,option6:dns-server,[::]
dhcp-option=br1,option6:ntp-server,[2001:470:0:50::2]
# Listen to br2 with follow services
interface=br2
ra-param=br2,60,1800
dhcp-range=br2,::1000,::FFFF,constructor:br2,ra-stateless,ra-names,4h
dhcp-option=br2,option6:dns-server,[::]
dhcp-option=br2,option6:ntp-server,[2001:470:0:50::2]
# Listen to br3 with follow services
interface=br3
ra-param=br3,60,1800
dhcp-range=br3,::1000,::FFFF,constructor:br3,ra-stateless,ra-names,4h
dhcp-option=br3,option6:dns-server,[::]
dhcp-option=br3,option6:ntp-server,[2001:470:0:50::2]
# Dont fill syslog
quiet-ra
quiet-dhcp
#quiet-dhcp6

# HE-IPv6 Firewall Script
#
# IPv6 GUI only sets up br0, Load missing brX routes
ip addr add 2001:470:CCCC:2::/64 dev br1
ip addr add 2001:470:CCCC:3::/64 dev br2
ip addr add 2001:470:CCCC:4::/64 dev br3
#
# Use OpenDNS IPv6 DNS Servers
echo "nameserver 2620:0:ccc::2" > /tmp/resolv.dnsmasq
echo "nameserver 2620:0:ccd::2" >> /tmp/resolv.dnsmasq
#
# Respond to HE Tunnel Server PING
iptables -I INPUT 2 -p icmp -s 66.220.2.74 -j ACCEPT
#
# More IPv6 Configuartion
ip6tables -I INPUT 5 -i br3 -j ACCEPT
ip6tables -I INPUT 5 -i br2 -j ACCEPT
ip6tables -I INPUT 5 -i br1 -j ACCEPT
ip6tables -I INPUT 2 -i br+ -p udp --dport 53 -j ACCEPT
ip6tables -I INPUT 2 -i br+ -p udp --dport 547 -j ACCEPT
#
# Force Users to use Encypt DNS by blocking port 53
ip6tables -I FORWARD -p tcp --dport 53 -j DROP
ip6tables -I FORWARD -p udp --dport 53 -j DROP

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
Goto page Previous  1, 2, 3 ... 31, 32, 33 ... 35, 36, 37  Next Display posts from previous:    Page 32 of 37
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum